A network traffic correlation engine monitors inbound and/or outbound connection information received from on each host computer system on a network. Each host device on the network store data logs corresponding to information corresponding to communications sent by the device and received by the device. The network traffic correlation engine correlates connections between different hosts throughout the network. If the network traffic correlation engine identified unmatched outbound and inbound connections, the network traffic correlation engine generates an alert to initiate further investigation and may also provide a mapping of the communications showing a possible start device for the connection and/or a type of access that the connections may now be providing.
Legal claims defining the scope of protection, as filed with the USPTO.
4. The system of claim 1, wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the enterprise network.
5. The system of claim 1, wherein the anomalous communication condition comprises an indication that logging of sent messages was disabled.
6. The system of claim 1, wherein monitoring of network communications information aggregated from a plurality of hosts on the enterprise network comprises aggregating information received from a plurality of host intrusion detection systems each associated with a different host device.
10. The method of claim 7, wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the enterprise network.
11. The method of claim 7, wherein the anomalous communication condition comprises an indication that logging of sent messages was disabled.
12. The method of claim 7, wherein the monitoring of network communications information aggregated from a plurality of hosts on the enterprise network comprises aggregating information received from a plurality of host intrusion detection systems each associated with a different host device.
13. The method of claim 7, further comprising determining, based on whether a correlation exists between a first communication and a second communication, whether an anomalous communication condition exists.
17. The one or more non-transitory computer-readable media of claim 14, wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the enterprise network.
18. The one or more non-transitory computer-readable media of claim 14, wherein an anomalous communication condition comprises an indication that logging of sent messages was disabled.
19. The one or more non-transitory computer-readable media of claim 14, wherein monitoring of network communications information aggregated from a plurality of hosts on the enterprise network comprises aggregating information received from a plurality of host intrusion detection systems each associated with a different host device.
20. The one or more non-transitory computer-readable media of claim 15, wherein the instructions further cause the host computing device to determine, based on whether a correlation exists between a first communication and a second communication, whether an anomalous communication condition exists.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 18, 2023
January 30, 2024
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.